exec's comments

exec · on Dec 10, 2021

Yes. I managed to reproduce the issue with slf4j + log4j2.

sathishv · on Dec 11, 2021

can you please share code sample? and what versions you used? i am unable to replicate with log4j 1.2.12, slf4j 1.7.6, java8-151

orgesballa · on Dec 11, 2021

Affected versions >= 2.0.0, < 2.0.11 < 1.11.10

So you are safe!

voyager1 · on Dec 16, 2021

Do you have any reference about < 1.11.10 being affected? I though versions 1.x are not affected.

exec · on Jan 20, 2013

Not using HTTPS is a critical mistake. Adversary can just do MITM attack and send modified code to the user's browser to steal passwords.

It's not best idea to share sensitive documents without using HTTPS.

bascule · on Jan 21, 2013

Confirm. This system was obviously designed by people who had no idea what they were doing, which is about the last thing you want in a cryptosystem. Failing to authenticate the JS cryptographic code (TLS would've helped here) makes this system effectively worthless and simple to MitM.

A good read on the matter is Matasano's JavaScript Cryptography Considered Harmful: http://www.matasano.com/articles/javascript-cryptography/

STRML · on Jan 21, 2013

I wasn't aware of the MITM issues, thank you for letting me know. I'm working on setting up a cert as we speak.

STRML · on Jan 21, 2013

HTTPS is now enabled on the site. Thanks for letting me know.

Just curious, do you see any other red flags in the system?

exec · on Feb 1, 2011

Most of internet banking systems in my country run on Java. And most of them can be affected if you know where to put this number.

Sandman · on Feb 1, 2011

Yes, but fortunately, there is not much reason why anybody would use double when developing a banking system.

yyyy · on Feb 2, 2011

They don't have to use it directly.

GET / HTTP/1.0

Accept-Language: en;q=2.2250738585072012e-308

If you're running Tomcat and you call getLocale() on that servlet request, you're toast.

wingo · on Feb 8, 2011

This is precisely why "q" is defined only to accept three digits after the decimal. It's actually not a floating point number, and anyone who parses it as such is just being lazy.

"q" is more properly represented natively as an integer between 0 and 1000.

xcombelle · on Feb 16, 2011

apparently q is not properly parsed in JBoss which is based on apache tomcat scaring not?

exec · on Jan 15, 2011

I never heard back from dmoz.org. I have tried to add my customer's website years ago...

exec · on Sept 30, 2009

http://mailhide.recaptcha.net/d?k=01MYzNHibu_YQ5tmJpfICtsw==... Thanks!